Korean
<< Back
VID 210110
Severity 40
Port 80, ...
Protocol TCP
Class CGI
Detailed Description The Joomla! program is vulnerable to a remote file include vulnerability via the 'cpage' parameter. Joomla! is an open-source contents management system written in PHP. Custom Pages is a third-party module for Joomla!. Custom Pages component version 1.1 and earlier versions are vulnerable to a remote file include vulnerability, caused by input validation errors in the 'custompages.php' script when processing the 'cpage' parameter. By sending a specially-crafted URL request to the 'index.php' script using the 'cpage' parameter, regardless of PHP's 'register_globals' setting, a remote attacker could exploit this vulnerability to execute arbitrary PHP code with the privileges of the web server.

* References:
http://www.milw0rm.com/exploits/5294
http://secunia.com/advisories/29520

* Platforms Affected:
Simple Rapid Addon Dev, Custompages component for Joomla! version 1.1 and earlier versions
Any operating system Any version
Recommendation No upgrade or patch available as of June 2014.

Upgrade to a fixed version of Custompages component, when new fixed version becomes available from the Joomla! Extensions Directory Web site at http://extensions.joomla.org/component/option,com_mtree/task,viewlink/link_id,1125/Itemid,35/
Related URL CVE-2008-1505 (CVE)
Related URL 28409 (SecurityFocus)
Related URL 41396 (ISS)